Security, privacy and data integrity

Sign-in is handled by Supabase Auth. Every request to our backend is verified server-side. Sensitive routes are protected and authorisation is checked on the server — never relying on hidden UI alone.

Database tables enforce Row-Level Security policies. Users can only read or write records they are entitled to. Cross-organisation access is denied by default.

Issued certificates are immutable. Revisions and audit history are append-only. Any amendment after issue produces a new revision and a new PDF — previous versions remain available.

Significant actions — creation, modification, submission, approval, issue, archive, ownership transfer and role changes — are recorded so they can be reviewed later.

All traffic between your device and AmpRegs AI is served over HTTPS. Files in storage are accessed via short-lived signed URLs rather than public links.

Found a security issue? Please email support@ampregs.com with details so we can investigate. Do not exploit findings against other users' data.